25C3: CTF dominated by iphone-dev team, HackMii

While we had been excited about 25C3’s CTF competition, we couldn’t even venture a guess as to who would win. It seems the iphone-dev team weren’t satisfied to just give an amazing talk. They teamed up with the Wii hackers from HackMii to win the competition. You can see their progress during the eight hour competition above in red. It’s impressive to see hardware hackers jumping over to network security AND completely killing at it.

There were no buffer overflows.
Challenges / services:
– insecure setups / “trojaned” configs
– An Ada service with a rather obvious backdoor (and some less obvious) + a search flaw which led to revelation (and therefore retrieval) of flags.
– A real funny perl implementation of BASIC as a CGI-handler. It had some unsanitized open()-calls which enabled arbitrary file reads, command execution through pipes, etc.
– Some Ruby web service which I must admit I didn’t understand much of.

[I might have missed one or two there, but you get the concept. There wasn’t any “real” overflow-stuff]

Your age comment is ridiculous, blizzarddemon. Those guys won because they were quick to grasp the system setup and develop methods for systematically collecting the “flags” (hashes) from the other contestants and because of their ability to navigate through the treacherous config files (those were causing our team, the Janet Reno Redemption Fund, real problems – I think three hours passed before we *found* the last two services), not because of their age. I’m 15, and I think the oldest person in our team was 40-something, so we had the whole range covered – so why didn’t we win?! ;o)